Revert "mz280: log used credential sources explicitly (#369)"

mzihlmann · mzihlmann · commit 592f5820b585 · 2025-11-16T15:19:13.000Z
This reverts commit 511f65c, reversing changes made to 5b6cfca.
diff --git a/README.md b/README.md
@@ -56,7 +56,6 @@ expect - see [Known Issues](#known-issues).
       - [Caching Layers](#caching-layers)
       - [Caching Base Images](#caching-base-images)
     - [Pushing to Different Registries](#pushing-to-different-registries)
-      - [Credential Provider Priorities](#credential-provider-priorities)
       - [Pushing to Docker Hub](#pushing-to-docker-hub)
       - [Pushing to Google GCR](#pushing-to-google-gcr)
       - [Pushing to GCR using Workload Identity](#pushing-to-gcr-using-workload-identity)
@@ -622,11 +621,6 @@ kaniko comes with support for GCR, Docker `config.json` and Amazon ECR, but
 configuring another credential helper should allow pushing to a different
 registry.
 
-#### Credential Provider Priorities
-
-By default kaniko will configure all built-in credential providers for you. These are `[default, env, google, ecr, acr, gitlab]`.
-You can (de)-activate credential helpers via the [`--credential-helpers`](#flag---credential-helpers) flag. The `default` credential helper will always be active and itself handles two sources: `DOCKER_AUTH_CONFIG` environment variable and `/kaniko/.docker/config.json` file, where priority is always given to `DOCKER_AUTH_CONFIG` and therefore can shadow credentials configured in the config file. If you want to disable `DOCKER_AUTH_CONFIG` you have to unset the environment variable explicitly `unset DOCKER_AUTH_CONFIG` prior to calling kaniko.
-
 #### Pushing to Docker Hub
 
 Get your docker registry user and password encoded in base64
diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go
@@ -187,15 +187,7 @@ var RootCmd = &cobra.Command{
 		}
 		if !opts.NoPush || opts.CacheRepo != "" {
 			if err := executor.CheckPushPermissions(opts); err != nil {
-				logrus.Warnf("make sure you entered the correct tag name, that you are authenticated correctly, and try again.")
-				// mz280: remind users that DOCKER_AUTH_CONFIG gets prioritized by docker-cli
-				// https://github.com/docker/cli/pull/6171
-				_, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")
-				if ok {
-					logrus.Warnf("note that your DOCKER_AUTH_CONFIG env variable can shadow credentials from configfile")
-					logrus.Warnf("see https://github.com/osscontainertools/kaniko/issues/280#issuecomment-3498449955")
-				}
-				exit(fmt.Errorf("error checking push permissions: %w", err))
+				exit(fmt.Errorf("error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: %w", err))
 			}
 		}
 		if err := resolveRelativePaths(); err != nil {
diff --git a/pkg/creds/creds.go b/pkg/creds/creds.go
@@ -17,43 +17,26 @@ limitations under the License.
 package creds
 
 import (
-	"fmt"
 	"io"
-	"os"
-	"strings"
 
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
 	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
 	gitlab "github.com/ePirat/docker-credential-gitlabci/pkg/credhelper"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/v1/google"
 	"github.com/osscontainertools/kaniko/pkg/config"
-	"github.com/osscontainertools/kaniko/pkg/util"
 	"github.com/sirupsen/logrus"
 )
 
 // GetKeychain returns a keychain for accessing container registries.
 func GetKeychain(opts *config.RegistryOptions) authn.Keychain {
 	var helpers []string
-	var prios []string
-
-	_, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")
-	if ok {
-		prios = append(prios, "env:DOCKER_AUTH_CONFIG")
-	}
-
-	cf := util.DockerConfLocation()
-	_, err := os.Lstat(cf)
-	if err == nil {
-		prios = append(prios, fmt.Sprintf("file:%s", cf))
-	}
 
 	if len(opts.CredentialHelpers) == 0 {
 		helpers = []string{"env", "google", "ecr", "acr", "gitlab"}
 	} else {
 		helpers = opts.CredentialHelpers
 	}
-	prios = append(prios, helpers...)
 
 	keychains := []authn.Keychain{authn.DefaultKeychain}
 	for _, source := range helpers {
@@ -89,6 +72,5 @@ func GetKeychain(opts *config.RegistryOptions) authn.Keychain {
 		}
 	}
 
-	logrus.Infof("credential providers by priority: [%s]", strings.Join(prios, ", "))
 	return authn.NewMultiKeychain(keychains...)
 }

Original file line number	Diff line number	Diff line change
`@@ -187,15 +187,7 @@ var RootCmd = &cobra.Command{`
`187`	`187`	`}`
`188`	`188`	`if !opts.NoPush \|\| opts.CacheRepo != "" {`
`189`	`189`	`if err := executor.CheckPushPermissions(opts); err != nil {`
`190`		`- logrus.Warnf("make sure you entered the correct tag name, that you are authenticated correctly, and try again.")`
`191`		`- // mz280: remind users that DOCKER_AUTH_CONFIG gets prioritized by docker-cli`
`192`		`- // https://github.com/docker/cli/pull/6171`
`193`		`- _, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")`
`194`		`- if ok {`
`195`		`- logrus.Warnf("note that your DOCKER_AUTH_CONFIG env variable can shadow credentials from configfile")`
`196`		`- logrus.Warnf("see https://github.com/osscontainertools/kaniko/issues/280#issuecomment-3498449955")`
`197`		`- }`
`198`		`- exit(fmt.Errorf("error checking push permissions: %w", err))`
	`190`	`+ exit(fmt.Errorf("error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: %w", err))`
`199`	`191`	`}`
`200`	`192`	`}`
`201`	`193`	`if err := resolveRelativePaths(); err != nil {`